Share This

WordPress All In One SEO Pack 2.3.6.1 Cross Site Scripting

------------------------------------------------------------------------Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin------------------------------------------------------------------------David Vaartjes, July 2016

------------------------------------------------------------------------Abstract------------------------------------------------------------------------A stored Cross-Site Scripting vulnerability was found in the Bot Blockerfunctionality of the All in One SEO Pack WordPress Plugin (1+ millionactive installs). This issue allows an attacker to perform a widevariety of actions, such as stealing Administrators' session tokens, orperforming arbitrary actions on their behalf.

------------------------------------------------------------------------Tested versions------------------------------------------------------------------------This issue was successfully tested on the All in One SEO Pack WordPressPlugin version 2.3.6.1.

------------------------------------------------------------------------Fix------------------------------------------------------------------------This issue has been fixed in version 2.3.7 of the plugin.

Free version https://wordpress.org/plugins/all-in-one-seo-pack/Pro version https://semperplugins.com/all-in-one-seo-pack-pro-version/

A stored Cross-Site Scripting vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.

The SEO Pack Bot Blocker functionality can be used to prevent certain bots from accessing/crawling the website. Bots can be detected based on User Agent and Referrer header patterns. When the User Agent contains one of the pre-configured list of bot names like "Abonti", "Bullseye" or "Exabot" the request is blocked and a 404 is returned.

If the "Track Blocked Bots" setting is enabled (not by default), blocked request are logged in that HTML page without proper sanitization or output encoding, allowing XSS.

1/ Go to the "Bad Bot Blocker" settings page in All in one SEO menu.2/ Enable "Block Bad Bots using HTTP" and/or "Block Referral Spam using HTTP".3/ Send exploit request (with payload in referer or user-agent) to the server. Anywhere.Make sure to send your exploit request as an anonymous user. When you are logged in (have cookies), you are never seen as a bot.4/ If all set up ok, your request will be blocked (HTTP/1.1 503 Service Unavailable)5/ Open the "Bad Bot Blocker" settings page as WP admin.6/ Your payload will run, since it is logged in a <pre> tag.

Potential use "Track Blocked Bots" setting to show/hide the <pre> block. Not needed for payload to run. Payload can be set in User-Agent or Referer field